Policy Configuration Files

Each file discussed in this section is relative to the policy name as follows:

/etc/selinux/<policy_name>

The majority of files are installed by the Reference Policy, semanage or semodule processes. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example a simple monolithic policy could run at init 3 (i.e. no X-Windows), and only require the following configuration files:

./policy/policy.[ver] - The binary policy loaded into the kernel.

./context/files/file_contexts - To allow the filesystem to be relabeled.

If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional file is required:

./context/dbus_contexts - To allow the debus messaging service to run under SELinux.

seusers File

This file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:

Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.

To determine the remaining context to be used as the security context, read the ./contexts/users/[seuser_id] file. If this file is not present, then:

Check for a default context in the ./contexts/default_contexts file. If no default context is found, then:

Read the ./contexts/failsafe_context file to allow a fail safe context to be set.

Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.

The format of the seusers file is the same as the files described in the ./modules/active/seusers.final and seusers section, where an example semanage user command is also shown.

# ./seusers file for an MLS system. Note that the system_u user
# has access to all security levels and therefore should not be
# configured as a valid GNU / Linux user.
system_u:system_u:s0-s15:c0.c255
root:root:s0-s15:c0.c255
fred:user_u:s0
__default__:user_u:s0

Supporting libselinux API functions are:

getseuser
getseuserbyname

setrans.conf File

This file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

There are a number of sample configuration files within the mcstrans package that describe the configuration options in detail that are located at /usr/share/mcstrans/examples.

The daemon will not load unless a valid MCS or MLS policy is active.

The translations can be disabled by added the following line to the file:

disable = 1

The semanage command can be used to update this file.

This file will also support the display of information in colour. The configuration file that controls this is called secolor.conf and is described in the secolor.conf File section.

The file format is as follows:

There are a number of configuration options available that are described in a README file within the source code package (but not included with the installed package). The contents of this file (from mcstrans-0.3.1-3 source package) is as follows:

# This file is from the mcstrans-0.3.1/conf/README file within the source package.
# Syntax
# A domain is a self consistent domain of translation (English, German, Paragraph Markings ...)
Domain=NAME1
# Within a domain are a number of fixed translations
# format is raw_range=trans_range
s3:c200.c511=Confidential
# repeat as required...
# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup
Base=Sensitivity Levels
# raw_range=name
s1=Unclassified
# Aliases have the same name but a different translation.
# The first one is used to compute translations
s1=U
# inverse bits should appear in the base of any level that uses inverse bits
s2:c200.c511=Restricted
# repeat as required...
# Modifier Groups should be in the order of appearance in the translated range.
ModifierGroup=GROUP1
# Allowed white space can be defined
Whitespace=- ,/
# Join defines the character between multiple members of this group
Join=/
# A Prefix can be defined per group
Prefix=Releasable to
# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup
Default=c200.c511
# format is raw_categories=name
# ~ turns off inverse bits
~c200.c511=EVERYBODY
# Aruba - bit 201
~c200,~c201=ABW
~c200,~c201=AA
# Afghanistan - bit 202
~c200,~c202=AFG
~c200,~c202=AF
# repeat as required...
# Another Modifier Group
ModifierGroup=GROUP2
# With different white space
Whitespace=
# And different Join
Join=,
# A Suffix can be defined per group
Suffix=Eyes only
# Default categories need to be consistent
Default=c200.c511
# New domain
Domain=NAME2
# any text can be put in a separate file
Include=PATH
Include=PATH

secolor.conf File

This optional file controls the colour to be associated to the various fields within the mctrans.conf file when the information is displayed by a SELinux colour-aware application (currently none!). This has not been fully documented, however the file format is as follows:

A colour mask starting with a hash (#) that describes the colour with black being #ffffff and white being #000000.

context_field

The colour translation supports different colours on the context string components (user, role, type and range or level). Each component is on a separate line.

string

This is a defined string within the setrans.conf file that will be displayed in the colour required. The colour initialisation code will check that the field exists in the file. An * can be used to define all entries of the defined context_field entry.

policy/policy.[ver] File

This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the SELinux Policy Module Primer notes.

The file name extension is the policy database version supported by the GNU / Linux release and can be found by executing the following command:

cat /selinux/policyvers
23

The different versions are discussed in the Policy Versions section.

contexts/customizable_types File

This file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).

The file format is as follows:

type

Where:

type

The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.

# Note that the ./contexts/users/[seuser_id] file is also read
# by some of these functions.
selinux_contexts_path
selinux_default_context_path
get_default_context
get_ordered_context_list
get_ordered_context_list_with_level
get_default_context_with_level
get_default_context_with_role
get_default_context_with_rolelevel
query_user_context
manual_user_enter_context
get_default_role

An example use (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was user_u:unconfined_r:unconfined_t).

However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. user_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to user_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').

The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:

unconfined_r:unconfined_t unconfined_r:unconfined_t

The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/user_u configuration file instead could also have achieved this.

contexts/debus_contexts File

This file is for the debus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon man page details the contents, however it is not recommended that this file is changed. The Free Desktop web site has detailed information at:

contexts/default_type File

This file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied. An example use is by newrole when it is called to change a users role, with no type specified, this file would then be consulted to determine the default type to use for the requested role.

The file format is as follows:

role:type

Where:

role:type

The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.

contexts/initrc_context File

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

The file format is as follows:

security_context

Where:

security_context

The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.

Example file contents:

# ./contexts/initrc_context - Taken from the reference policy.
system_u:system_r:initrc_t

# ./contexts/initrc_context - Taken from the MLS reference
# policy. Note that the init process has full access via the
# range s0-s15:c0.c255.
system_u:system_r:initrc_t:s0-s15:c0.c255

Supporting libselinux API functions are:

selinux_context_path

contexts/netfilter_contexts File

This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the ./modules/active/netfilter_contexts & netfilter.local file section for further information).

Supporting libselinux API functions are:

selinux_context_path
selinux_netfilter_context_path

contexts/removable_contexts File

This file contains the default label that should be used for removable devices that are not defined in the contexts/files/media file.

The file format is as follows:

security_context

Where:

security_context

The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.

Example file contents:

# ./contexts/removable_contexts - Taken from the reference policy.
system_u:object_r:removable_t

contexts/x_contexts File

This file is provides the security contexts (and other configuration information) for the X-Windows SELinux security extension. The useage is discussed in the X-windows SELinux Support section and examples of how to add additional entries is shown in the Experimenting with X-Windows section. The MCS / MLS version of the file has the appropriate level or range information added.

The selabel_* set of libselinux API functions allow information to be retrieved from the x_contexts file. These are described in the relevant man pages and also in selabel_x(5).

These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package) or by the X-Windows application (e.g. using XInternAtom).

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

context

This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label (:s0 as standard).

contexts/files/file_contexts.local File

This file is added by the semanage fcontext command as described in the ./modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly.

contexts/files/file_contexts.homedirs File

This file is managed by the semodule and semanage commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.

It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.

It is fully described in the ./modules/active/file_contexts.homedirs file section.

Supporting libselinux API functions are:

selinux_file_context_homedir_path
selinux_homedir_context_path

contexts/files/media File

Used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the ./contexts/removable_contexts is used instead.

The file format is as follows:

media_id file_context

Where:

media_id

The media identifier (those known are: cdrom, floppy, disk and usb).

file_context

The context to be used for the device. Note that it does not seem to have the MLS / MCS level).

Example file contents:

# ./contexts/files/media - Taken from the reference policy
# (note that the same file is generated for all types of policy).
cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

Supporting libselinux API functions are:

selinux_media_context_path

contexts/users/[seuser_id] File

These optional files are named after the SELinux user they represent (e.g. seuser_id = user_u). Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user.